GDPR Registry Web App

To manage the whole GDPR process, you need a central point
where information about GDPR procedures are stored and can be updated
on a regular basis by dedicated personnel, including your Data Protection Officer.
This central place is of fundamental importance to keep track of your current compliance status,
identify issues and mitigate them. And this is exactly the role of the so-called
Registry of Data Processing Activities, described in the GDPR Article 30.
It can also demonstrate that GDPR is a continuous process that has become an integral part of your business.
This is a key step towards an enhanced security posture.

The Pluribus One GDPR Registry Web app allows you to keep track of all data processing
activities according to a hierarchical structure and the various GDPR stages highlighted in this document.

Key Features

Open Source: You may freely use and modify it according to our licence.

Sound framework and suggestion mechanisms: We implemented the Registry App exploiting to our expertise in the field of cybersecurity, and a thorough study of GDPR (which nowadays, it is essentially a cybersecurity problem) to build a comprehensive framework. As you fill in the registry, the app can suggest you how to proceed. We have inserted some useful suggestions that come from our GDPR framework and expertise.

Report Generation: You can generate, anytime, an updated, high-quality PDF report with all your data registry. This is a very useful feature especially if you organization is under investigation by GDPR supervisory authorities.

Multi-language: Full translation support thanks to the Django framework. Currently, the interface is available in English and Italian language.

GDPR technology and services: If you need, Pluribus One offers advanced technology and services around GDPR (see https://gdpr.pluribus-one.it), to help you to achieve GDPR compliance.

Hierarchical Structure

The main hierarchical structure of the registry is showed as follows.

Organizatione.g., Acme SRL

Business Processe.g., Human Resources

Processing Activitye.g., Contractualization

Data Audite.g., Identity documents of employees

Data Management PolicyHow data is managed to prevent data breaches?

Data Breach DetectionHow can we detect data breaches?

Incident Response PlanHow can we respond to data breaches?

Data Protection Impact AssessmentIt includes a detailed document about the previous three mitigation measures for the prevention, detection and response against data breaches.

You may add as many entries as you require in the registry, e.g., unlimited number of organizations, business processes, activities, data audits, and so on.

Hierarchical Structure - Example

An example of hierarchical structure of the GDPR app registry is showed below.

Organization

Name: Acme SRL

Address: Via delle Strade, 9, 09123, Cagliari

State: Italy

Statute: Private Company

Data Protection Officer: Mario Rossi

Business Process

Name: Human resources

Description: Human resource management, overseeing various aspects of employment,
such as compliance with labour law and employment standards, administration of employee benefits,
and some aspects of recruitment and dismissal

Processing Activity

Name: Contractualization

Description: Activity required to contractualize employees

Data Audit

Description: identity documents of employees

Category: personal identifiable information

Scope of treatment: personnel management

Legal base: necessary for the execution of a contract (GDPR art. 6(1)b)

Inherent risk: medium

Data Management Policy

Description: data is stored in a private database, in encrypted form, and
can be accessed only by the following persons: Robb Jones (administrative employee)

Data transfers: the data is not transferred to third parties

Data Subject Rights: data subjects are informed and explicitly agreed
our privacy policy (link to document X).
The document X also explains how they can view, correct, cancel, and limit the scopes of our data management.

Residual risk (of data breaches): low

Data Breach Detection

Description

each access to the private database is monitored,
logged in a append-only logging database